b"Audit Report\n\n\n\n\nOIG-09-028\nManagement Letter for the Fiscal Year 2008 Audit of the\nDepartment of the Treasury\xe2\x80\x99s Financial Statements\n\n\nJanuary 8, 2009\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                              January 8, 2009\n\n\n            MEMORANDUM FOR PETER B. MCCARTHY\n                           ASSISTANT SECRETARY FOR MANAGEMENT\n                           AND CHIEF FINANCIAL OFFICER\n\n            FROM:                 Joel A. Grover /s/\n                                  Deputy Assistant Inspector General\n                                   for Financial Management and Information\n                                   Technology Audits\n\n            SUBJECT:              Management Letter for the Fiscal Year 2008 Audit of the\n                                  Department of the Treasury\xe2\x80\x99s Financial Statements\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Department of the Treasury\xe2\x80\x99s (Department) Fiscal Year 2008 financial\n            statements. Under a contract monitored by the Office of Inspector General, KPMG\n            LLP (KPMG), an independent certified public accounting firm, performed an audit of\n            the financial statements of the Department as of September 30, 2008 and for the\n            year then ended. The contract required that the audit be performed in accordance\n            with generally accepted government auditing standards; applicable provisions of\n            Office of Management and Budget Bulletin No. 07-04, Audit Requirements for\n            Federal Financial Statements; and the GAO/PCIE Financial Audit Manual.\n\n            As part of its audit, KPMG issued and is responsible for the accompanying\n            management letter that discusses other matters involving internal control over\n            financial reporting and other operational matters that were identified during the\n            audit, but were not required to be included in the audit report.\n\n            In connection with the contract, we reviewed KPMG\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5768, or a\n            member of your staff may contact Mike Fitzgerald, Director, Financial Audits at\n            (202) 927-5789.\n\n            Attachment\n\x0cDEPARTMENT OF THE TREASURY\n      FISCAL YEAR 2008\n      Management Letter\n\n      November 17, 2008\n\x0c                           DEPARTMENT OF THE TREASURY\n                                     Fiscal Year 2008\n                                  Management Letter Report\n\n\n\n                                      Table of Contents\n\n                                                                               Page\n\nTransmittal Letter                                                                1\n\n       08-01: President\xe2\x80\x99s Budget Reconciliation (Repeat Comment)                  3\n      08-02: Financial Reporting Standards for Treasury\xe2\x80\x99s Component Entities\n             (Repeat Comment)                                                     5\n      08-03: Mortgage Backed Securities (MBS) Purchase Reconciliations            7\n      08-04: Disaster Recovery Procedures (Repeat Comment)                        8\n      08-05: Database-level User Access                                          10\n\n\nExhibit 1 \xe2\x80\x93 Status of Prior Year Management Letter Comments                      11\n\x0c                                 KPMG LLP\n                                 2001 M Street, NW\n                                 Washington, DC 20036\n\n\nNovember 17, 2008\n\nInspector General\nU.S. Department of the Treasury\nWashington, D.C.\n\nWe have audited the consolidated financial statements of U.S. Department of the Treasury\n(Department/Treasury) as of and for the year ended September 30, 2008, and have issued our report\nthereon dated November 17, 2008. Our report indicated that we did not audit the amounts included\nin the consolidated financial statements related to the Internal Revenue Service (IRS), a component\nentity of the Department. The financial statements of the IRS were audited by another auditor\nwhose report has been provided to us.\n\nIn planning and performing our audit of the consolidated financial statements of the Department in\naccordance with auditing standards generally accepted in the United States of America, we\nconsidered the Department\xe2\x80\x99s internal control over financial reporting (internal control) as a basis\nfor designing our auditing procedures for the purpose of expressing our opinion on the financial\nstatements, but not for the purpose of expressing an opinion on the effectiveness of the\nDepartment\xe2\x80\x99s internal control. Accordingly, we do not express an opinion on the effectiveness of\nthe Department\xe2\x80\x99s internal control.\nDuring our fiscal year (FY) 2008 audit of the Department\xe2\x80\x99s consolidated financial statements, we\nand the other auditor noted certain matters involving internal control and other operational matters\nthat we considered to be significant deficiencies under standards established by the American\nInstitute of Certified Public Accountants (AICPA). A control deficiency exists when the design or\noperation of a control does not allow management or employees, in the normal course of\nperforming their assigned functions, to prevent or detect misstatements on a timely basis. A\nsignificant deficiency is a control deficiency, or combination of control deficiencies, that adversely\naffects the entity\xe2\x80\x99s ability to initiate, authorize, record, process, or report financial data reliably in\naccordance with generally accepted accounting principles such that there is more than a remote\nlikelihood that a misstatement of the entity\xe2\x80\x99s financial statements that is more than inconsequential\nwill not be prevented or detected by the entity\xe2\x80\x99s internal control. A material weakness is a\nsignificant deficiency, or combination of significant deficiencies, that results in more than a remote\nlikelihood that a material misstatement of the financial statements will not be prevented or detected\nby the Department\xe2\x80\x99s internal control.\n\nOur consideration of internal control was for the limited purpose described above and would not\nnecessarily identify all deficiencies in internal control that might be significant deficiencies or\nmaterial weaknesses. In our Independent Auditors\xe2\x80\x99 Report dated November 17, 2008, we reported\nthe following matters involving internal control and its operations that we and the other auditor\nconsidered to be significant deficiencies.\n    \xe2\x80\xa2   Financial Systems and Reporting at the IRS (Repeat Condition)\n    \xe2\x80\xa2   Financial Management Practices at the Departmental Level (Repeat Condition)\n    \xe2\x80\xa2   Controls Over Foreign Currency Transactions\n\n\n\n\n                                  KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is\n                                  a member of KPMG International, a Swiss cooperative.\n\x0cWe consider the significant deficiency related to Financial Systems and Reporting at the IRS, noted\nabove, to be a material weakness. Detailed findings and recommendations to address the above\nsignificant deficiencies are not repeated within this document.\n\nAlthough not considered significant deficiencies, we noted certain matters involving internal\ncontrol and other operational matters that are presented in the attachment for your consideration.\nThese comments and recommendations, all of which have been discussed with the appropriate\nmembers of the Department\xe2\x80\x99s management, are intended to improve internal control or result in\nother operating efficiencies. The matters presented in this letter do not include internal control or\noperational matters that have been presented to the management of the Department\xe2\x80\x99s offices or\noperating bureaus that were audited separately by other auditors.\n\nExhibit 1 provides the status of the 11 comments included in our management letter arising from\nour FY 2007 audit. We have not considered the Department\xe2\x80\x99s internal control since the date of our\nreport.\n\nWe appreciate the courteous and professional assistance that Department personnel extended to us\nduring our audit. We would be pleased to discuss these comments and recommendations with you\nat any time.\n\nThe Department\xe2\x80\x99s written response to our comments and recommendations has not been subjected\nto the auditing procedures applied in the audit of the consolidated financial statements, and\naccordingly, we express no opinion on it.\n\nThis communication is intended solely for the information and use of the management of the\nDepartment, the Department\xe2\x80\x99s Office of Inspector General, the Office of Management and Budget,\nthe Government Accountability Office, and Congress and is not intended to be, and should not be,\nused by anyone other than these specified parties.\n\nVery truly yours,\n\n\n\n\n                                                 2\n\x0c                             FISCAL YEAR 2008 COMMENTS\n\n08-01: President\xe2\x80\x99s Budget Reconciliation (Repeat Comment)\nThe Department of the Treasury\xe2\x80\x99s (Treasury/Department) Office of Performance Budgeting and\nStrategic Planning (OPBSP) prepares the annual reconciliation of Treasury\xe2\x80\x99s Budgetary Resources,\nOutlays, Offsetting Receipts, and Obligations Incurred reported in the President\xe2\x80\x99s Budget (PB) to\ncomparable information contained in Treasury\xe2\x80\x99s Statement of Budgetary Resources (SBR) (PB\nReconciliation) for disclosure in Treasury\xe2\x80\x99s consolidated financial statements as required by\nStatement of Federal Financial Accounting Standards (SFFAS) No. 7, Accounting for Revenue and\nOther Financing Sources. The PB Reconciliation is then provided to the Department\xe2\x80\x99s Office of\nAccounting and Internal Control (AIC) for final review and approval prior to inclusion in the\nDepartment\xe2\x80\x99s consolidated financial statements. Our review of the PB Reconciliation prepared for\ninclusion in the FY 2008 consolidated financial statements revealed the following:\n\n   \xe2\x80\xa2   Sufficient management reviews were not performed on documentation provided to support\n       the PB Reconciliation by either OPBSP or AIC.\n\n   \xe2\x80\xa2   Initial documentation provided to support the PB Reconciliation did not fully support\n       reconciling amounts reported in the PB Reconciliation. For example, the detailed analyses\n       prepared by OPBSP for each Treasury component of what was reported in the PB\n       compared to what was reported in the respective component\xe2\x80\x99s Statement of Budgetary\n       Resources was either incorrect in some instances or not provided. In addition, extracts\n       from the PB for amounts used in the reconciliation were not provided that would directly\n       link back to amounts in the detailed analysis provided by OPBSP in support of the PB\n       Reconciliation.\n\nIn response to questions raised, the OPBSP provided additional documentation, revised the PB\nReconciliation on several occasions to incorporate auditor-requested changes, and assisted with\nresolving the issues identified.\nFurther improvements are needed to improve the process of preparing the reconciliation and\nexpediting its review. Although differences identified were ultimately fully explained and\nsupported, the initial supporting documentation provided was not comprehensive enough to\neliminate the detailed discussions needed to understand the Department\xe2\x80\x99s unique budget\ntransactions and how they contribute to the PB Reconciliation.\n\nOffice of Management and Budget (OMB) Circular A-136, Financial Reporting Requirements\n(OMB Circular No. A-136), provides guidance for preparing the note on Reconciliation of the SBR\nto the PB. Section II.4.2 of OMB Circular No. A-136, states \xe2\x80\x9cAgencies should discuss any\nmaterial changes to budgetary information subsequent to the publication of the audited SBR with\ntheir auditors to determine if restatement or note disclosure is necessary. At a minimum, any\nmaterial differences between comparable information contained in the SBR and the actual\ninformation presented in the Budget of the United States Government must be disclosed in the\nnotes to the SBR.\xe2\x80\x9d\n\n\n\n\n                                               3\n\x0cIn addition, GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government 1 (GAO Internal\nControl Standards) states \xe2\x80\x9cInternal control and all transactions and other significant events need to\nbe clearly documented, and the documentation should be readily available for examination. The\ndocumentation should appear in management directives, administrative policies, or operating\nmanuals and may be in paper or electronic form.\xe2\x80\x9d\nThe adequacy of review issues discussed above occurred mainly because existing OPBSP and AIC\nsenior staff work loads exceed what can be reasonably conducted by senior staff. Therefore,\ninsufficient time is available to be spent on supervisory reviews and other financial management\nactivities. This has resulted in increased reliance being placed on the audit of the PB Reconciliation\nto identify errors and omissions.\nFurther, Treasury relies on the knowledge and skills of key experienced OPBSP officials to prepare\nthe PB Reconciliation. However, because the PB Reconciliation is performed at the Department\nlevel, the lack of intimate knowledge of component transactions contributed to initial\nmisclassification of budgetary resources for reconciliation purposes. This led to additional efforts\nto obtain documentation and increased time spent on the PB Reconciliation that, had the PB\nReconciliation been performed by each component, could have been minimized.\n08-01 Recommendations\n\nWe recommend that the CFO with input from the Director, OPBSP, and the Director, AIC:\n\n(1) Update policies and procedures to include the details of the required documentation that is\n    necessary to support the PB Reconciliation, as well as review and approval procedures\n    required by authorized Treasury officials.\n\n(2) Instruct all Treasury components to reconcile their respective SBR amounts to amounts\n    included in the PB, and provide the operating procedures needed for the PB Reconciliation to\n    components. This will streamline the process, provide better detail and clarification of\n    reconciling items, and remove the significant time demands on already stretched Departmental\n    staff. Once received, OPBSP and AIC should only consolidate the data. At the component\n    level, management should classify amounts reported in the SBR and PB by reconciling\n    budgetary sources to fund symbols, along with an explanation for each reconciling item, and\n    also explain what funds are included in the line item. Components should be instructed to\n    utilize the President\xe2\x80\x99s Budget Appendix Program and Financing Schedule amounts for the\n    reconciliation. By reconciling all balances, Treasury will be able to better analyze the material\n    differences between the SBR and the actual amounts reported in the PB.\n\n\n\n\n1\n U.S. Government Accountability Office, Standards for Internal Control in the Federal Government, GAO/AIMD-00-\n21.3.1, November, 1999.\n\n\n\n\n                                                       4\n\x0cManagement Response\n\nThe Department agrees with these recommendations. AIC and OPBSP will update the PB\nreconciliation policies and procedures to ensure that proper preparation, review, approval and\ndocumentation requirements are addressed.\n\nWe believe the PB reconciliation process should be streamlined to the maximum extent possible.\nAIC/OPBSP reviewed the reconciliation procedure in FY 2008. AIC and OPBSP developed a\nCFO Vision standardized template to prepare the Department\xe2\x80\x99s reconciliation worksheet. This\nworksheet identifies bureau and component entity differences. By automating the initial\nreconciliation process, OPBSP and AIC staff focused more time on explaining differences and\ngetting supporting documents from bureaus. The template developed and used for FY 2008 was\ncomplicated. It was not sufficiently complete to provide all detailed information needed to support\nthe reconciliation. Accordingly, it was only useful in providing accurate information on Expired\nand Treasury Managed Accounts. Subsequent meetings between OPBSB and KPMG produced a\ntemplate that if generated by CFO Vision would adequately provide supporting documentation for\nthe President's Budget Reconciliation and facilitate the review by OPBSP and AIC. We plan on\nexploring the possibility of automating this template in FY 2009.\n\nWe will also consider involving the bureaus and other components in the reconciliation process to\nthe extent practicable. In most cases, the bureaus\xe2\x80\x99 data will always be identical to the PB data; it is\njust certain unique situations which cause the reconciliation complications. For example, the FMS\ndata in the PB are the responsibility of five different accounting offices, one of those outside of\nTreasury. Bureaus in this situation will need to create additional worksheets to show what they are\nreconciling to, which may make it overly cumbersome for these bureaus to perform complete\nreconciliations. Thus, we need to work with the bureaus to determine the most efficient approach\nto the overall reconciliation process.\n\n08-02: Financial Reporting Standards for Treasury\xe2\x80\x99s Component Entities (Repeat Comment)\nThe Department\xe2\x80\x99s consolidated financial statements are prepared in conformity with accounting\nprinciples prescribed by the Federal Accounting Standards Advisory Board (FASAB), the\naccounting standards-setting body for the Federal Government, as recognized by the AICPA in\nOctober 1999. However, certain Treasury component entities prepare their financial statements in\naccordance with accounting standards prescribed by the Financial Accounting Standards Board\n(FASB), the private sector standards-setting body, since the FASAB has allowed entities that\nissued financial statements prior to October 1999 using FASB accounting to continue to do so.\nThese component entities include the Bureau of Engraving and Printing, the Office of Thrift\nSupervision, the Exchange Stabilization Fund, the Federal Financing Bank, and the Community\nDevelopment Financial Institutions Fund.\nThe use of a combination of generally accepted accounting principles (GAAP) by the Department\nand its component entities complicates the preparation of the Department\xe2\x80\x99s consolidated financial\nstatements since additional information required for Federal GAAP reporting must be developed,\nmapped, and submitted to the Department\xe2\x80\x99s data warehouse by component entities, and reviewed\nfor compliance with Federal GAAP and overall reasonableness by Department accounting\n\n\n\n\n                                                  5\n\x0cmanagement. In addition, the separately issued financial statements of the component entities using\nFASB accounting principles do not adequately portray the importance of the budgetary process as\nit relates to Federal entities. Consequently, the concept of \xe2\x80\x9cpresents fairly\xe2\x80\x9d for those entities does\nnot adequately convey the significant budgetary disclosures required by Federal GAAP.\nPrivate sector GAAP does not contemplate budgetary reporting, and therefore, components using\nthis basis of accounting do not prepare the SBR, although this statement is an integral part of the\nDepartment\xe2\x80\x99s consolidated financial statements, and must be prepared regardless of whether the\ncomponent receives appropriations from the U.S. Government or not. Moreover, information\nreported in the Department\xe2\x80\x99s SBR must be reconciled to enacted amounts in the President\xe2\x80\x99s Budget\nand disclosed in the notes to the Department\xe2\x80\x99s consolidated financial statements. Considerable\nadditional preparation is required to develop and report this data at the Department level for\ncomponents using private sector GAAP.\nAdditionally, private sector GAAP does not provide sufficient information regarding the costs of\nprograms and activities. The Statement of Net Cost required by Federal GAAP requires that costs\nand offsetting earned revenues be presented by responsibility segments, with net costs identified\nfor each of the segments, in order to provide more meaningful information to evaluate the\noperating results of major activities.\nFurther, inconsistencies exist in how certain costs are reported by entities using private sector\nGAAP. For example, Federal GAAP requires that nonreimbursed costs paid by the Office of\nPersonnel Management for retirement plans be recognized by the receiving entity as an imputed\ncost in order to report the full cost of operations. Since private sector GAAP does not provide\nguidance for the reporting of such imputed costs, these costs are being reported inconsistently, or\nnot at all, by the Department\xe2\x80\x99s component entities.\nThis matter has been reported since FY 2004, and has not been resolved. The continued use of\nprivate sector GAAP by certain Treasury component entities decreases the usefulness of\ninformation reported by these entities for users of Federal financial statements and complicates the\npreparation of the Department\xe2\x80\x99s consolidated financial statements.\n\n08-02 Recommendations\n\nWe recommend that the CFO, with input from the Director, AIC, work with those Treasury\nbureaus following FASB reporting standards to achieve conformance so that all reporting entities\nwithin the Department prepare their financial statements in accordance with Federal GAAP in\norder to strengthen and standardize financial accounting and reporting throughout the Department.\nIf statutorily required to report on a different basis of accounting, then a separate set of financial\nstatements should be prepared by these entities to meet such requirements.\n\nManagement Response\n\nThe Federal Accounting Standards Advisory Board (FASAB) has issued an exposure draft entitled\nThe Hierarchy of Generally Accepted Accounting Principles, Including the Application of\nStandards Issued by the Federal Accounting Standards Board which addresses this\n\n\n\n\n                                                  6\n\x0crecommendation. This exposure draft proposes to clarify that a federal entity that is preparing\nGAAP-based financial statements for the first time is required to implement FASAB standards\nunless the entity clearly demonstrates that the needs of its primary users would be best met through\nthe application of FASB standards. The Department is required to provide FASAB exposure draft\ncomments by February 2, 2009.\n\nThis statement also proposes to clarify GAAP for those federal entities that are currently applying\nfinancial accounting and reporting standards issued by the Financial Accounting Standards Board\n(FASB). This clarification is intended to address concerns that moving the GAAP hierarchy into\nthe accounting standards would cause a sudden and dramatic change in practice for federal entities\nthat apply FASB GAAP. The Board will determine whether additional reporting should be required\nof federal entities that are currently applying FASB accounting standards as part of its separate\nproject on reporting by federal entities that primarily apply standards issued by the FASB, formerly\nreferred to as the \xe2\x80\x9cAppropriate Source of GAAP\xe2\x80\x9d project.\n\nWhile AIC will continue to encourage Treasury-reporting entities to conform to FASAB standards,\nwe are also monitoring FASAB\xe2\x80\x99s efforts to clarify this issue so that appropriate guidance is\ncommunicated to the affected Treasury reporting entities.\n\n08-03 Mortgage Backed Securities (MBS) Purchase Reconciliations\n\nAs a result of the Housing and Economic Recovery Act of 2008, the Office of Financial\nManagement (OFM), with budgetary support from OPBSP was involved in various financial\ntransactions unique to the Department. These transactions were processed in a shortened time-\nframe causing various control deficiencies related to documentation of policies and procedures and\nfinancial reporting. One transaction type involved the purchase of Government Sponsored\nEnterprise MBS totaling $3.3 billion. We noted that while MBS purchases that were traded and\nsettled as of September 30, 2008 were ultimately reconciled to the information reported by the\nCustodian (a qualified financial institution designated to be the depository and financial agent), the\nreconciliation process was not well documented and there were no written procedures due to the\ntiming of the transactions. In addition, initial documentation provided to support the MBS\nreconciliation was either incomplete or incorrect.\n\nFMFIA requires \xe2\x80\x9cinternal accounting and administrative controls of each executive agency shall be\nin accordance with standards prescribed by the Comptroller General.\xe2\x80\x9d The GAO Internal Control\nStandards state, \xe2\x80\x9cInternal control should generally be designed to assure that ongoing monitoring\noccurs in the course of normal operations. It is performed continually and is ingrained in the\nagency\xe2\x80\x99s operations. It includes regular, management and supervisory activities, comparisons,\nreconciliations, and other actions people take in performing their duties.\xe2\x80\x9d\nThe Treasury Financial Manual (TFM), Chapter 3400, \xe2\x80\x9cAccounting for and Reporting on Cash\nand Investments held Outside of the U.S. Treasury,\xe2\x80\x9d Section 3420 states, \xe2\x80\x9cTreasury requires that\nagencies develop policies, systems, and procedures to ensure that cash and investment activity in\nTreasury and non-Treasury accounts is conducted in the following manner:\n\n\n\n\n                                                  7\n\x0c\xe2\x80\xa2   To maintain full accountability and reconciliation control over funds owned by or in the\n    custody of the Federal Government or any Federal Government officer, employee, or agent;\n\xe2\x80\xa2   To comply with applicable statutes regarding the deposit and/or investment of such funds; and\n\xe2\x80\xa2   To support Governmentwide collateral, accounting, and reporting requirements, as described in\n    the TFM.\xe2\x80\x9d\nIn response to questions raised, OFM officials provided additional documentation, revised the\nMBS reconciliation as needed, and assisted in resolving the issues identified.\n\n08-03 Recommendations\n\nWe recommend that the CFO with input from the Directors, OFM and OPBSP:\n\n(1) Ensure that staff responsible for the reconciliation between the MBS assets reported by the\n    Department and the MBS assets held by and reported by the Custodian is fully trained and that\n    adequate resources are provided.\n\n(2) Ensure that Treasury implements a formal reconciliation process including appropriate\n    documentation as described in Section 3420 of the TFM, as it is likely that Treasury will\n    continue to increase its exposure to additional asset purchases during FY 2009.\n\n(3) Continue to meet and communicate with the Custodian to ensure all reconciling items are\n    cleared in a timely manner, and to ensure Treasury management has a firm understanding of the\n    reconciling items.\n\nManagement Response\n\nThe Department agrees with these recommendations, and actions are underway to address them.\nOFM is primarily responsible for performing these reconciliations, and is working with both the\nCustodian and the Asset Managers to learn more about the availability of information and to\nprovide further training to responsible staff. Resource requirements are also being reviewed.\n\nA thorough reconciliation was performed as of the end of FY 2008, although not without having to\nrework the reconciliation as we learned more about the transactions and obtained additional\ninformation. However, due to these MBS transactions occurring so late in the fiscal year, there was\ninsufficient time to develop formal reconciliation procedures and documentation requirements.\nFormal reconciliation procedures and documentation requirements are being developed in FY\n2009.\n\n08-04: Disaster Recovery Procedures (Repeat Comment)\n\nA Disaster Recovery Plan (DRP) has not yet been fully developed and implemented for two key\nsystems of the Department, the Treasury Information Executive Repository (TIER) and the Chief\n\n\n\n\n                                                8\n\x0cFinancial Office Vision (CFO Vision) financial systems, responsible for the Department\xe2\x80\x99s\nconsolidated financial statement reporting activities.\n\nNational Institute of Standard and Technology (NIST) Special Publication (SP) 800-34,\nContingency Planning Guide for Information Technology Systems, states that \xe2\x80\x9cInformation\nTechnology (IT) and automated information systems are vital elements in most business processes.\nBecause these IT resources are so essential to an organization\xe2\x80\x99s success, it is critical that the\nservices provided by these systems are able to operate effectively without excessive interruption.\nContingency planning supports this requirement by establishing thorough plans and procedures and\ntechnical measures that can enable a system to be recovered quickly and effectively following a\nservice disruption or disaster.\xe2\x80\x9d NIST SP 800-34 also states that \xe2\x80\x9cIT systems are vulnerable to a\nvariety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to\nsevere (e.g., equipment destruction, fire). Many vulnerabilities may be minimized or eliminated\nthrough technical, management, or operational solutions as part of the organization\xe2\x80\x99s risk\nmanagement effort; however, it is virtually impossible to completely eliminate all risks.\nContingency planning is designed to mitigate the risk of system and service unavailability by\nfocusing effective and efficient recovery solutions.\xe2\x80\x9d\n\nAdditionally, NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook\n(Chapter 11) states \xe2\x80\x9cContingency planning directly supports an organization's goal of continued\noperations. Organizations practice contingency planning because it makes good business sense. To\navert potential contingencies and disasters or minimize the damage they cause, organizations can\ntake steps early to control the event. Generally called contingency planning, this activity is closely\nrelated to incident handling, which primarily addresses malicious technical threats such as hackers\nand viruses. Contingency planning involves more than planning for a move offsite after a disaster\ndestroys a data center. It also addresses how to keep an organization's critical functions operating in\nthe event of disruptions, both large and small. This broader perspective on contingency planning is\nbased on the distribution of computer support throughout an organization.\xe2\x80\x9d\n\nShould a disaster occur without a documented DRP for TIER and CFO Vision, the Deputy Chief\nFinancial Officer\xe2\x80\x99s (DCFO) office\xe2\x80\x99s ability to restore and/or continue operations related to these\nsystems may be significantly delayed.\n\n08-04 Recommendations\n\nWe recommend that the DCFO\xe2\x80\x99s office:\n\n(1) Finalize the TIER and CFO Vision DRP.\n\n(2) Test the DRP annually in accordance with the guidance outlined in NIST SP 800-34.\n\n(3) Update the DRP following any changes made to these systems to ensure that the current\n    version is available for recovery.\n\n\n\n\n                                                  9\n\x0cManagement Response\n\nManagement agrees with these recommendations. The Department has installed the TIER and\nCFO Vision software on the disaster recovery servers (as well as for all FARS applications). A\nconceptual framework has been developed for the monthly refresh of Treasury data and software\ncode and the annual testing of the disaster recovery site. Treasury\xe2\x80\x99s team is documenting the\nprocedures and will test them to ensure that they work as anticipated.\n\n08-05 Database-level User Access\nThe Oracle\xc2\xae database management system that supports TIER has not been configured to log\ndatabase-level user access.\nNIST SP 800-53, Revision 2, Recommended Security Controls for Federal Information Systems,\nstates \xe2\x80\x9cThe organization regularly reviews/analyzes information system audit records for\nindications of inappropriate or unusual activity, investigates suspicious activity or suspected\nviolations, reports findings to appropriate officials, and takes necessary actions.\xe2\x80\x9d\nBy not logging the actions of individuals, including those with system administration-level\nprivileges, the potential exists for security-related incidents to go unnoticed and uninvestigated,\nthus allowing potential unauthorized users to continue attempting to access system resources.\n\n08-05 Recommendation\nWe recommend that the DCFO\xe2\x80\x99s office configure the TIER Oracle database to log database-level\naccess and actions. At a minimum, this logging should include access attempts, both successful\nand unsuccessful, and include database administrator and system-level accounts (i.e., sys, system,\nand sysman).\n\nManagement Response\n\nManagement agrees with this recommendation. The DCFO\xe2\x80\x99s Office will work with DO\xe2\x80\x99s CIO and\nthe FARS team to develop procedures for the monitoring of the logs of database-level access and\nactions. The FARS team will need to develop the policy, plans, and procedures for reviewing the\nlogs and taking appropriate actions to address any issues that are identified. Resource requirements\nwill need to be estimated and staff will need to be assigned to support the function. The budgetary\nimpact will need to be developed and included in the FARS budget estimate.\n\n\n\n\n                                                10\n\x0c                                                                                EXHIBIT 1\n\n                          DEPARTMENT OF THE TREASURY\n                                       Fiscal Year 2008\n                                   Management Letter Report\n                      Status of Prior Year Management Letter Comments\n\n\n\nPrior Year Comments                                Current Year Status\n\n07-01   President\xe2\x80\x99s Budget Reconciliation          This comment has not been corrected and is\n                                                   repeated in the current year as comment\n                                                   # 08-01.\n07-02   Financial   Reporting   Standards      for This comment has not been corrected and is\n        Treasury\xe2\x80\x99s Component Entities              repeated in the current year as comment\n                                                   # 08-02.\n07-03   Disaster Recovery Procedures               This comment has not been corrected and is\n                                                   repeated in the current year as comment\n                                                   # 08-04.\n07-04   Documentation     of     Application-Level This comment has been corrected.\n        Changes\n07-05   User Account Passwords                     This comment has been corrected.\n\n07-06   Systems Security Plan                      This comment has been corrected.\n07-07   Password Configurations                    This comment has been corrected.\n07-08   Plan of Action and Milestones Reporting    This comment has been corrected.\n07-09   User Access Policies and Procedures        This comment has been corrected.\n07-10   Segregation of Duties                      This comment has been corrected.\n07-11   Individual User Accountability             This comment has been corrected.\n\n\n\n\n                                              11\n\x0c"